This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Progression fo checking using WEB Proxy

So what is the progression of checks/filters/etc when activating the use of Web Filtering?

AT our Central ASG site I have 8 network segments defined. I wish to force all internet bound network traffic (http/s, ftp, etc.) for four of these network segments through the Web proxy.

We do not have a directory server currently defined so I have setup the web proxy into Standard mode running on port 3228 and setup a PAC file on the ASG proxy page.

So My question is does the packet filters take priority over the web filters or or is it the other way around? I want to ensure that any computer without a proxy setup cannot get off the network before setting up the proxy settings. So far it looks like if I am not using the proxy settings, I can still exit the network bypassing the proxy filters.

This thread was automatically locked due to age.

0 BAlfson over 15 years ago

Not sure that I understand 100%, but here are the standards:
DNATs come before proxies come before packet filter rules you create.

A subnet only accesses the proxy if listed in 'Allowed networks'

A 'Proxy Profile' applies only to the subnets assigned to it.

If a packet isn't allowed by a PF rule or a proxy, it is "default drop"ped by the firewall.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 skydiver over 15 years ago

Thanks.  I need to see how my rules are being applied.  I am a little confused in a hub-spoke remote office config how to direct only certain network segments to come through the central hub then our through the proxy for internet.

So at the remote ASG's I need to start thusly (please check my work)
Remote office:
Networks defined 10.10.10.0/24 and 10.15.10.0/24
ASG device IP 10.10.10.1
Central Office:
Networks defined 10.10.2.0/24 and 10.15.2.0/24
ASG device IP 10.10.2.1
http proxy running on 10.10.2.1

From the remote office I want all 10.10.10.0 traffic to come through central hub ASG and routed accordingly (may need to traverses central hub to remote office 2 10.10.11.0).  Any internet bound traffic needs to be directed through http proxy on central ASG.

Remote Office 10.15.10.0 should go directly to Internet from remote ASG
Assumptions:
IPSEC tunnel exists and is pingable from all remote locations on the 10.10.0.0 network.

Packet Filter Rules:
At remote location:
Packet Filter Rule 1: Allow 10.15.10.0-->ANY-->ANY
Packet Filter Rule 2: Allow 10.10.10.0-->ANY-->10.10.2.1

At central location:
http proxy allow: 10.10.0.0/16

NO Packet Filter rules for 10.10.0.0 to ensure all outbound all traffic is forced through web proxy?

If I had an allow of certain traffic defined by packet rule and a deny by proxy would it be allowed of denied?  based on your progression above it would be denied but not good practice.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago

Here's a post I created early last year from a post in German by Gert Hansen describing how to do hub and spoke.

I'm not sure I understand, but, if 10.15.1.2 is in a subnet both allowed 'Any -> Any' by a packet filter rule and in 'Allowed networks' in HTTP/S running in standard mode, then it will browse via the proxy if its browser is pointed at the proxy, or via the packet filter if not.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 skydiver over 15 years ago

Thanks Bob I will look the post over and report back.

The Packet Filter Rule 1: Allow 10.15.10.0-->ANY-->ANY at my remote location is what is currently in place. I realize now that I will need to direct this to my VOIP servers only to avoid the issue you recognized.
Cancel
Vote Up 0 Vote Down

Cancel